Question ID
2019_4560
Legal act
Directive 2015/2366/EU (PSD2)
Topic
Strong customer authentication and common and secure communication (incl. access)
Article
97
Paragraph
1
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph
24 (1) (2)
Name of institution / submitter
BPER Banca
Country of incorporation / residence
Italy
Type of submitter
Credit institution
Subject matter
SCA profiles and multiple-use of devices
Question

Can multiple users use the same device (i.e. smartphone) and have different strong customer authentication (SCA) profiles on the same device?

Background on the question

Article 24 of Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication only explains that "Payment service providers" shall ensure that only the payment service user is associated, in a secure manner, with the personalised security credentials, the authentication devices and the software.

Article 24 does not say anything about multiple use of devices.

"Article 24 - Association with the payment service user

1.   Payment service providers shall ensure that only the payment service user is associated, in a secure manner, with the personalised security credentials, the authentication devices and the software.

2.   For the purpose of paragraph 1, payment service providers shall ensure that each of the following requirements is met:

(a) the association of the payment service user's identity with personalised security credentials, authentication devices and software is carried out in secure environments under the payment service provider's responsibility comprising at least the payment service provider's premises, the internet environment provided by the payment service provider or other similar secure websites used by the payment service provider and its automated teller machine services, and taking into account risks associated with devices and underlying components used during the association process that are not under the responsibility of the payment service provider;

(b) the association by means of a remote channel of the payment service user's identity with the personalised security credentials and with authentication devices or software is performed using strong customer authentication."

Submission date
Final publishing date
Final answer

Article 24(1) of the Commission Delegated Regulation (EU) 2018/389 provides that ‘payment service providers shall ensure that only the payment service user is associated, in a secure manner, with the personalised security credentials, the authentication devices and the software’. Paragraph 2, letter ‘b’ of the same article continues by specifying that ‘the association by means of a remote channel of the payment service user's identity with the personalised security credentials and with authentication devices or software is performed using strong customer authentication.’

In line with the requirements of Article 24 of the Delegated Regulation only a single payment service user can be associated, at a time, with the personalised security credentials, the authentication devices and/or software. This does not preclude, however, the use of the same authentication device and/or software by multiple payment service users having different SCA profiles when supported by the device and/or software.

Status
Final Q&A
Answer prepared by
Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.